Git-Url: http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-0.9.git;a=commitdiff;h=2f2b716aeb5a816eb1f7e023852c06f7f20bea7e
commit 2f2b716aeb5a816eb1f7e023852c06f7f20bea7e Author: voroskoi <[EMAIL PROTECTED]> Date: Mon Oct 20 18:22:49 2008 +0200 proftpd-1.3.1-5solaria1-i686 secfix relbump closes #3370 diff --git a/source/network/proftpd/CVE-2008-4242.diff b/source/network/proftpd/CVE-2008-4242.diff new file mode 100644 index 0000000..7d5c68e --- /dev/null +++ b/source/network/proftpd/CVE-2008-4242.diff @@ -0,0 +1,171 @@ +Patch taken from debian, closes +http://secunia.com/advisories/cve_reference/CVE-2008-4242/ +diff -urNad trunk~/src/main.c trunk/src/main.c +--- trunk~/src/main.c 2008-09-21 23:50:55.000000000 +0200 ++++ trunk/src/main.c 2008-09-21 23:50:55.000000000 +0200 +@@ -674,12 +674,17 @@ + while (TRUE) { + pr_signals_handle(); + ++ memset(buf,'\0',sizeof(buf)); ++ + if (pr_netio_telnet_gets(buf, sizeof(buf)-1, session.c->instrm, + session.c->outstrm) == NULL) { + +- if (PR_NETIO_ERRNO(session.c->instrm) == EINTR) +- /* Simple interrupted syscall */ ++ if (errno == E2BIG) { ++ /* The client sent a too-long command which was ignored; give ++ * them another chance? ++ */ + continue; ++ } + + #ifndef PR_DEVEL_NO_DAEMON + /* Otherwise, EOF */ +@@ -695,20 +700,31 @@ + + if (cmd_buf_size == -1) { + int *bufsz = get_param_ptr(main_server->conf, "CommandBufferSize", FALSE); ++ size_t default_cmd_bufsz; ++ ++ /* It's possible for the admin to select a PR_TUNABLE_BUFFER_SIZE which ++ * is smaller than PR_DEFAULT_CMD_BUFSZ. We need to handle such cases ++ * properly. ++ */ ++ default_cmd_bufsz = PR_DEFAULT_CMD_BUFSZ; ++ if (default_cmd_bufsz > sizeof(buf)) { ++ default_cmd_bufsz = sizeof(buf); ++ } ++ + if (bufsz == NULL) { +- cmd_buf_size = PR_DEFAULT_CMD_BUFSZ; ++ cmd_buf_size = default_cmd_bufsz; + + } else if (*bufsz <= 0) { + pr_log_pri(PR_LOG_WARNING, "invalid CommandBufferSize size (%d) " + "given, using default buffer size (%u) instead", +- *bufsz, PR_DEFAULT_CMD_BUFSZ); +- cmd_buf_size = PR_DEFAULT_CMD_BUFSZ; ++ *bufsz, default_cmd_bufsz); ++ cmd_buf_size = default_cmd_bufsz; + + } else if (*bufsz + 1 > sizeof(buf)) { + pr_log_pri(PR_LOG_WARNING, "invalid CommandBufferSize size (%d) " + "given, using default buffer size (%u) instead", +- *bufsz, PR_DEFAULT_CMD_BUFSZ); +- cmd_buf_size = PR_DEFAULT_CMD_BUFSZ; ++ *bufsz, default_cmd_bufsz); ++ cmd_buf_size = default_cmd_bufsz; + + } else { + pr_log_debug(DEBUG1, "setting CommandBufferSize to %d", *bufsz); +diff -urNad trunk~/src/netio.c trunk/src/netio.c +--- trunk~/src/netio.c 2008-09-21 23:39:34.000000000 +0200 ++++ trunk/src/netio.c 2008-09-21 23:52:17.000000000 +0200 +@@ -1,6 +1,6 @@ + /* + * ProFTPD - FTP server daemon +- * Copyright (c) 2001-2007 The ProFTPD Project team ++ * Copyright (c) 2001-2008 The ProFTPD Project team + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -30,19 +30,19 @@ + #include <signal.h> + + #ifndef IAC +-#define IAC 255 ++# define IAC 255 + #endif + #ifndef DONT +-#define DONT 254 ++# define DONT 254 + #endif + #ifndef DO +-#define DO 253 ++# define DO 253 + #endif + #ifndef WONT +-#define WONT 252 ++# define WONT 252 + #endif + #ifndef WILL +-#define WILL 251 ++# define WILL 251 + #endif + + static const char *trace_channel = "netio"; +@@ -51,6 +51,17 @@ + static pr_netio_t *core_data_netio = NULL, *data_netio = NULL; + static pr_netio_t *core_othr_netio = NULL, *othr_netio = NULL; + ++/* Used to track whether the previous text read from the client's control ++ * connection was a properly-terminated command. If so, then read in the ++ * next/current text as per normal. If NOT (e.g. the client sent a too-long ++ * command), then read in the next/current text, but ignore it. Only clear ++ * this flag if the next/current command can be read as per normal. ++ * ++ * The pr_netio_telnet_gets() uses this variable, in conjunction with its ++ * saw_newline flag, for handling too-long commands from clients. ++ */ ++static int properly_terminated_prev_command = TRUE; ++ + static pr_netio_stream_t *netio_stream_alloc(pool *parent_pool) { + pool *netio_pool = NULL; + pr_netio_stream_t *nstrm = NULL; +@@ -911,7 +922,7 @@ + char *bp = buf; + unsigned char cp; + static unsigned char mode = 0; +- int toread; ++ int toread, saw_newline = FALSE; + pr_buffer_t *pbuf = NULL; + + if (buflen == 0) { +@@ -940,8 +951,9 @@ + *bp = '\0'; + return buf; + +- } else ++ } else { + return NULL; ++ } + } + + pbuf->remaining = pbuf->buflen - toread; +@@ -1004,6 +1016,8 @@ + toread--; + *bp++ = *pbuf->current++; + pbuf->remaining++; ++ ++ saw_newline = TRUE; + break; + } + +@@ -1011,6 +1025,25 @@ + pbuf->current = NULL; + } + ++ if (!saw_newline) { ++ /* If we haven't seen a newline, then assume the client is deliberately ++ * sending a too-long command, trying to exploit buffer sizes and make ++ * the server make some possibly bad assumptions. ++ */ ++ ++ properly_terminated_prev_command = FALSE; ++ errno = E2BIG; ++ return NULL; ++ } ++ ++ if (!properly_terminated_prev_command) { ++ properly_terminated_prev_command = TRUE; ++ pr_log_pri(PR_LOG_NOTICE, "client sent too-long command, ignoring"); ++ errno = E2BIG; ++ return NULL; ++ } ++ ++ properly_terminated_prev_command = TRUE; + *bp = '\0'; + return buf; + } diff --git a/source/network/proftpd/FrugalBuild b/source/network/proftpd/FrugalBuild index a195e81..ba5d135 100644 --- a/source/network/proftpd/FrugalBuild +++ b/source/network/proftpd/FrugalBuild @@ -5,7 +5,7 @@ pkgname=proftpd pkgver=1.3.1 pkgextraver= -pkgrel=4 +pkgrel=5solaria1 pkgdesc="Highly configurable GPL-licensed FTP server software" url="http://www.proftpd.org/"; groups=('network') @@ -15,8 +15,8 @@ makedepends=('tcp_wrappers' 'mysql') backup=(etc/{proftpd.conf,ftpusers}) up2date="lynx -dump $url | Flasttar" source=(ftp://ftp.proftpd.org/distrib/source/$pkgname-$pkgver$pkgextraver.tar.bz2 \ - rc.proftpd proftpd.conf ftpusers compile.patch) -signatures=($source.asc '' '' '' '') + rc.proftpd proftpd.conf ftpusers compile.patch CVE-2008-4242.diff) +signatures=($source.asc '' '' '' '' '') build() { _______________________________________________ Frugalware-git mailing list Frugalware-git@frugalware.org http://frugalware.org/mailman/listinfo/frugalware-git
